Tuesday, May 21, 2013

As part of expert testimony at today’s Senate Sub-Committee Hearing to Examine Offshore Profit Shifting and Tax Avoidance by Apple Inc., Professor J. Richard Harvey has made a compelling case that the tax system Apple is taking advantage of needs to have its loopholes closed.
Harvey — a distinguished Professor of Practice at Villanova University’s School of Law — says that while what Apple has done is acceptable under current International tax law, it still widely uses tax tricks and gimmicks to avoid paying what it fully owes.

“What Apple has done is acceptable under current International tax laws,” said Harvey. “In some extent, Apple is not as aggressive as others, but at the end of the day, Apple funnelled 64% of its earnings into Ireland… and paid very little tax on it.”
Referring to Apple’s statement yesterday, Harvey said that when he read Apple say they “do not use tax gimmicks,” he fell off his chair.
“Apple funnelled $78 billion over four years into an Irish subsidiary with zero employees. If that’s not a tax gimmick, I don’t know what you should call it.”
How Apple was able to do this, Harvey says, is due to the U.S.’s adoption of arms-length pricing, which allows companies to shift income into other countries if that income is derived from a joint effort and joint intellectual property. “It’s true for companies making a cure for cancer, or an iPhone or iPad.” In Apple’s case, they shifted their intellectual property and income derived from it to non-existent entities overseas.
So Apple entered a cost sharing agreement with its own Irish subsidiary, and paid less than 0.05% on taxes in over $78 billion in income.
“Is it right that Apple can transfer this to an affiliate with no employees and very little presence?”
Harvey suggests that Apple cut a deal off-the-books with the Irish government to pay essentially no tax in four years.

“Apple has roughly 60% of global sales outside of the U.S., but Apple only allocates 6% of profits to rest of the world. The way they accomplish this is by paying very small sales commisions in other countries to reduce their tax burden. It’s not illegal, but it’s a gimmick.”
Harvey says that the real question is what to do about all of this. Apple is doing nothing illegal, he says, but what’s legal here is an issue. “Something needs to be done when so much income can be allocated to an entity with no substance.”
Harvey’s recommendation was that Congress should demand greater transparency and higher reporting standards on U.S. multinationals about where and how much they pay taxes overseas. “It needs to be administerable.”

Friday, May 17, 2013

from cultofmac.com
A new Mac malware has been found in the wild that allowed attackers to steal data and install unauthorized apps on a compromised machine. What makes this malware different than other recent Mac malware, though, is that it breezes right past Gatekeeper… and the people behind it might have been gunning for the life of their malware victim.
Known security researcher and privacy activist Jacob Applebaum discovered the malware — which is being called OSX/KitM.A by Finnish antivirus firm F-Secure — on the laptop of a human rights activist at the Oslo Freedom Forum earlier this week.
KitM.A got on the machine as a result of a spear phishing attack, which is a phishing attack in which specific individuals (instead of a wider range of victims) are targeted. The malware takes screenshots of what is happening on the Mac amd sends them to servers in the Netherlands. It can also download and install other malware, executing commands on behalf of attackers and manipulating the network activity monitor so that its presence remains undetected.
What’s so interesting about this specific malware is that it was signed by a valid Apple Developer ID. This means that it just blew past Gatekeeper, OS X Mountain Lion’s anti-malware firewall that is supposed to keep out just this sort of program. But it also means that Apple can just revoke the app’s certificate, killing it instantly on all computers with Gatekeeper turned on. And hopefully, it means that the attackers behind this particularly insidious form of malware can be tracked down and prosecuted, because they’ve left a signature: their own Apple Developer ID.
Applebaum said that he may publish more details on the attack once he ascertains the threat to the victim’s life. Someone was gunning for him, after all, and given what’s going on in Angola these days, that’s a sensible precaution.

from cultofmac.com
A new piece of Mac malware has been discovered. The virus installs itself as “macs.app” and silently takes screenshots to then upload to shady servers. It doesn’t appear to be very widespread at the moment.
The malware was uncovered on an African activist’s Mac at the Oslo Freedom Forum, an annual event dedicated to “exploring how best to challenge authoritarianism and promote free and open societies.”
Once installed, macs.app runs in the background and repeatedly takes screenshots. Each image is then stored in an unsuspecting folder in the user’s home directory. From there, the screenshots are uploaded to “securitytable.org” and “docsforum.inf,” which are both unavailable domains.
Unlike most Mac malware, a valid Apple Developer ID is associated with macs.app to get it past Gatekeeper, Apple’s security system in OS X Mountain Lion. The ID is assigned to Rajender Kumar. Apple has the ability to revoke the ID’s privileges, and then this malware would assumedly be dead in the water.
A malicious tool that only takes screenshots to upload is pretty unique, so this is likely not part of a larger attack.

Wednesday, May 1, 2013

from blog.trendmicro.com
Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.
Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:

Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.

We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.

The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:

Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.

One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:

The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites.

For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection.

In case you’re using mobile devices to manage your Apple ID or other parts of your online activities, you may read our ebook about avoiding bad mobile URLs to help protect yourself. We have blocked all sites and messages related to these attacks.